You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2021/10/22 01:07:15 UTC
[GitHub] [spark] wangyum opened a new pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
wangyum opened a new pull request #34362:
URL: https://github.com/apache/spark/pull/34362
### What changes were proposed in this pull request?
This pr backport HIVE-21498 to upgrade libthrift to 0.13.0.
### Why are the changes needed?
To addresses CVEs:
Component Name | Component Version Name | Vulnerability | Fixed version
-- | -- | -- | --
Apache Thrift | 0.11.0-4. | [CVE-2019-0205](https://nvd.nist.gov/vuln/detail/CVE-2019-0205) | 0.13.0
Apache Thrift | 0.11.0-4. | CVE-2019-0210 | 0.13.0
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Existing test.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046316449
Merged to master. I'll look at the backports next
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949417333
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144529/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949283731
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144522/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949305726
**[Test build #144529 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1041257636
No problem. Please let us know when the PR is ready, @wangyum .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734232033
##########
File path: sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java
##########
@@ -45,11 +45,12 @@ public TSetIpAddressProcessor(Iface iface) {
}
@Override
- public boolean process(final TProtocol in, final TProtocol out) throws TException {
+ public void process(final TProtocol in, final TProtocol out) throws TException {
Review comment:
I have no idea, does this cause problems across hive versions, if we modify this copy of the Hive code?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949252676
Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/48993/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun edited a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun edited a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030919169
> I updated the description manually; I think this is good to go?
We have no evidence that this PR passes the CIs, don't we, @srowen ? As I mentioned here (https://github.com/apache/spark/pull/34362#pullrequestreview-867034822), the latest CI failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949150067
cc @HyukjinKwon @juliuszsompolski We can upgrade to 0.13.0 first. If 0.16.0 is released, we can upgrade to 0.16.0 because we need [this patch](https://github.com/apache/thrift/pull/2470).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734242476
##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
janino/3.0.16//janino-3.0.16.jar
javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar
Review comment:
I have removed javax.annotation-api-1.3.2.jar. It seems we do not need it:
```
LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
./lib/java/gradle/environment.gradle: compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
./lib/java/gradle.properties:javax.annotation.version=1.3.2
./lib/java/build/poms/pom-default.xml: <groupId>javax.annotation</groupId>
./lib/java/build/poms/pom-default.xml: <artifactId>javax.annotation-api</artifactId>
Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
./compiler/cpp/src/thrift/generate/t_java_generator.cc: indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734238451
##########
File path: pom.xml
##########
@@ -2442,6 +2442,10 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>javax.annotation</groupId>
+ <artifactId>javax.annotation-api</artifactId>
+ </exclusion>
Review comment:
It seems we do not need it:
```
LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
./lib/java/gradle/environment.gradle: compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
./lib/java/gradle.properties:javax.annotation.version=1.3.2
./lib/java/build/poms/pom-default.xml: <groupId>javax.annotation</groupId>
./lib/java/build/poms/pom-default.xml: <artifactId>javax.annotation-api</artifactId>
Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
./compiler/cpp/src/thrift/generate/t_java_generator.cc: indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1028005099
Ping @wangyum
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1038565933
Sorry. I was on Chinese new year holiday last 2 weeks. I used to test [Thrift 0.16-rc0](https://www.mail-archive.com/dev@thrift.apache.org/msg51912.html), Thrift 0.16 has not been officially released.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350101
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/49000/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949645945
Hm, looks like our Java 8 tests pass though. It _might_ not affect Spark, but that makes me uneasy.
I suppose we can wait for 0.16.0, but not sure how many months away that is.
I wouldn't oppose merging this to move forward a bit
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030921269
Ah I see the tests passing but did not all applicable tests run? Is it because the tests need to be enabled to run in the submitter's acct?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r809735466
##########
File path: sql/hive/src/main/java/org/apache/thrift/transport/TFramedTransport.java
##########
@@ -0,0 +1,200 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.thrift.transport;
+
+
+import org.apache.thrift.TByteArrayOutputStream;
+import org.apache.thrift.TConfiguration;
+
+/**
+ * This is based on libthrift-0.12.0 {@link org.apache.thrift.transport.TFramedTransport}.
+ * To fix class of org.apache.thrift.transport.TFramedTransport not found after upgrading libthrift.
+ *
+ * TFramedTransport is a buffered TTransport that ensures a fully read message
+ * every time by preceding messages with a 4-byte frame size.
+ */
Review comment:
Origin Java class: https://github.com/apache/thrift/blob/0.12.0/lib/java/src/org/apache/thrift/transport/TFramedTransport.java
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1032238721
- No, no tests ran. It was a build error due to `Could not find artifact org.apache.thrift:libthrift:jar:0.16.0 ` as I wrote in the previous comment.
- When you cannot check the result in Apache Spark repo, you need to visit their branch because sometimes GitHub Action notification doesn't work properly. In this PR, the following is his branch. And, you can see the actual GitHub Action result at the commit.
- https://github.com/wangyum/spark/tree/SPARK-37090
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen closed pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen closed pull request #34362:
URL: https://github.com/apache/spark/pull/34362
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1056364919
Hi, All. This is reverted from all branches due to the regression.
Please see https://github.com/apache/spark/pull/35646
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046316570
Oh @wangyum do you have pull requests for the backports? the content looks OK, just bears testing
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046314651
Thank you for asking, @srowen . Sounds reasonable. No objection for backporting from my side.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046313863
One last check from @dongjoon-hyun maybe; this and backports looks OK
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949262279
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/48993/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949283731
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/144522/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1025063230
I converted it back to `Ready for Review` because I did it before before Apache Spark 3.2.1 release.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1044861666
Looks like librthrift 0.16.0 was released and this passes, so should be good to go. Thoughts about backporting this to 3.2 and 3.1? (3.0, I presume, is EOL now). I guess I'm inclined to unless there is a non-trivial risk of breaking something, like Hadoop 2 compatibility
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1046146953
This is for branch 3.2 and 3.1:
https://github.com/apache/spark/compare/branch-3.2...wangyum:SPARK-37090-branch-3.2?expand=1
https://github.com/apache/spark/compare/branch-3.1...wangyum:SPARK-37090-branch-3.1?expand=1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949237162
Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/48993/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734238451
##########
File path: pom.xml
##########
@@ -2442,6 +2442,10 @@
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>javax.annotation</groupId>
+ <artifactId>javax.annotation-api</artifactId>
+ </exclusion>
Review comment:
It seems we do not need it:
```
LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
./lib/java/gradle/environment.gradle: compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
./lib/java/gradle.properties:javax.annotation.version=1.3.2
./lib/java/build/poms/pom-default.xml: <groupId>javax.annotation</groupId>
./lib/java/build/poms/pom-default.xml: <artifactId>javax.annotation-api</artifactId>
Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
./compiler/cpp/src/thrift/generate/t_java_generator.cc: indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949305726
**[Test build #144529 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734240298
##########
File path: sql/hive-thriftserver/src/main/java/org/apache/hive/service/auth/TSetIpAddressProcessor.java
##########
@@ -45,11 +45,12 @@ public TSetIpAddressProcessor(Iface iface) {
}
@Override
- public boolean process(final TProtocol in, final TProtocol out) throws TException {
+ public void process(final TProtocol in, final TProtocol out) throws TException {
Review comment:
This change copied from Hive:
https://github.com/apache/hive/commit/1945e2f67e5b09cdda40146b87e1ba492f897196#diff-8f288ca198b08c9f716e68a6743ae8937b4740b69f9019c10925fb8d8083a0b0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949192271
**[Test build #144522 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] yaooqinn commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
yaooqinn commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949453095
Interesting, `Thrift 0.13.0 does not work with JDK8` per https://issues.apache.org/jira/browse/THRIFT-5274
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] wangyum commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
wangyum commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734242476
##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
janino/3.0.16//janino-3.0.16.jar
javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar
Review comment:
I removed javax.annotation-api-1.3.2.jar. It seems we do not need it:
```
LM-SHC-16508156:thrift yumwang$ grep -ER "javax.annotation" .
./lib/java/gradle/environment.gradle:ext.javaxAnnotationVersion = property('javax.annotation.version')
./lib/java/gradle/environment.gradle: compile "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
Binary file ./lib/java/.gradle/5.6.4/executionHistory/executionHistory.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/classAnalysis.bin matches
Binary file ./lib/java/.gradle/5.6.4/javaCompile/taskHistory.bin matches
./lib/java/gradle.properties:javax.annotation.version=1.3.2
./lib/java/build/poms/pom-default.xml: <groupId>javax.annotation</groupId>
./lib/java/build/poms/pom-default.xml: <artifactId>javax.annotation-api</artifactId>
Binary file ./lib/java/build/deps/javax.annotation-api-1.3.2.jar matches
./lib/java/build/tmp/javadoc/javadoc.options:-classpath '/Users/yumwang/opensource/thrift/lib/java/build/classes/java/main:/Users/yumwang/opensource/thrift/lib/java/build/resources/main:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.slf4j/slf4j-api/1.7.28/2cd9b264f76e3d087ee21bfc99305928e1bdb443/slf4j-api-1.7.28.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.10/7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5/httpclient-4.5.10.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpcore/4.4.12/21ebaf6d532bc350ba95bd81938fa5f0e511c132/httpcore-4.4.12.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.servlet/javax.servlet-api/4.0.1/a27082684a2ff0bf397666c3943496c44541d1ca/javax.servlet-api-4.0.1.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/javax.annotation/javax.annotation-api/1.3.2/934c04d3cfef185a8008e7bf34331b79730a9d43/javax.annotation-api-1.3.2.jar:/Users/yumwang/.gradle/caches/modules
-2/files-2.1/commons-logging/commons-logging/1.2/4bfc12adfe4842bf07b657f0369c4cb522955686/commons-logging-1.2.jar:/Users/yumwang/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar'
./compiler/cpp/src/thrift/generate/t_java_generator.cc: indent(out) << "@javax.annotation.Generated(value = \"" << autogen_summary() << "\"";
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350101
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] AmplabJenkins commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
AmplabJenkins commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949262279
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder-K8s/48993/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949275575
**[Test build #144522 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).
* This patch passes all tests.
* This patch merges cleanly.
* This patch adds no public classes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-950593129
Thank you for pinging me, @HyukjinKwon .
cc @sunchao
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-960494136
Let's wait for a while since this is not for Apache Spark 3.2.1.
To prevent accidental merging, I converted this PR to the draft, @wangyum .
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030856153
I updated the description manually; I think this is good to go?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] dongjoon-hyun commented on pull request #34362: [SPARK-37090][BUILD] Upgrade `libthrift` to 0.16.0 to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
dongjoon-hyun commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-1030919169
> I updated the description manually; I think this is good to go?
We have no evidence that this PS passes the CIs, don't we, @srowen ? As I mentioned here (https://github.com/apache/spark/pull/34362#pullrequestreview-867034822), the latest CI failed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] HyukjinKwon commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
HyukjinKwon commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949152726
cc
@srowen and @dongjoon-hyun too FYI
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA removed a comment on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA removed a comment on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949192271
**[Test build #144522 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144522/testReport)** for PR 34362 at commit [`8d9e375`](https://github.com/apache/spark/commit/8d9e3757055426241c9c17b2199608092d9e42f7).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734231884
##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
janino/3.0.16//janino-3.0.16.jar
javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar
Review comment:
Minor but legitimate thing we should do: update LICENSE-binary to add a line about the licensing of this, which is dual licensed as CDDL 1.1 and GPL + classpath. Just add one line around...
```
Common Development and Distribution License (CDDL) 1.1
------------------------------------------------------
javax.el:javax.el-api https://javaee.github.io/uel-ri/
javax.servlet.jsp:jsp-api
```
I suppose we need a copy of the license text in licenses-binary too, ideally
https://github.com/javaee/javax.annotation/blob/master/LICENSE
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949402270
**[Test build #144529 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/144529/testReport)** for PR 34362 at commit [`affe2f6`](https://github.com/apache/spark/commit/affe2f64457c67c133e45cfd6de372649d10e2cb).
* This patch passes all tests.
* This patch merges cleanly.
* This patch adds no public classes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] srowen commented on a change in pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
srowen commented on a change in pull request #34362:
URL: https://github.com/apache/spark/pull/34362#discussion_r734553574
##########
File path: dev/deps/spark-deps-hadoop-3.2-hive-2.3
##########
@@ -120,6 +120,7 @@ jakarta.ws.rs-api/2.1.6//jakarta.ws.rs-api-2.1.6.jar
jakarta.xml.bind-api/2.3.2//jakarta.xml.bind-api-2.3.2.jar
janino/3.0.16//janino-3.0.16.jar
javassist/3.25.0-GA//javassist-3.25.0-GA.jar
+javax.annotation-api/1.3.2//javax.annotation-api-1.3.2.jar
Review comment:
OK, I'm sure we don't use it directly, but that doesn't mean thrift doesn't need it.
That said, it's just a set of annotations, which are usually optional.
We exclude this elsewhere, so I think this is OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949325426
Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49000/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] [spark] SparkQA commented on pull request #34362: [SPARK-37090][BUILD] Upgrade libthrift to avoid security vulnerabilities
Posted by GitBox <gi...@apache.org>.
SparkQA commented on pull request #34362:
URL: https://github.com/apache/spark/pull/34362#issuecomment-949350072
Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/49000/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org